AI 资讯
Leetcode 150 | Day 2: Remove Element - Naive vs. Optimized
Leetcode 27: Remove Element Leetcode 27 asks us to remove a specific value from an array. The value to be removed is passed in as a parameter to the function along with the array. Just as we did in Day 1, we will cover a naive approach and an optimized approach and discuss the trade-offs between them. I think in the end there's a pretty clear winner. Let's get started. For both approaches we will use the following values: nums = [1, 3, 3, 2, 4] val = 3 Approach 1: Naive (For Loop + Splice) This approach uses a for loop and leverages .splice() for removals. Solution: var removeElement = function ( nums , val ) { let k = 0 ; for ( let i = 0 ; i < nums . length ; i ++ ) { if ( nums [ i ] === val ) { nums . splice ( i , 1 ); i -- ; } else { k ++ ; } } return k ; }; We begin by initializing a variable k to 0. We then enter the for loop. The condition is standard: create a variable i initialized to 0, continue looping while i is less than nums.length to avoid going past the end of the array, and increment by 1 each time through. Each iteration checks one condition: whether nums[i] is equal to val . If true, we call .splice() on the array. The arguments we pass to splice are i and 1 . i is the index at which we want to start removing, and 1 tells splice to remove only that one element. We then decrement i . The reason for this took me some time to wrap my brain around, so I have included a visual below to make it concrete. The core issue is this: when splice removes an element, every element to the right shifts one index to the left. Without i-- , the loop would increment i on the next iteration and skip right over the element that just shifted in. i-- counteracts that by stepping i back, so after the loop increments it, i lands exactly where the shifted element now sits. If nums[i] !== val , we skip the splice and increment k instead. At the end we return k , which holds the count of elements remaining after all occurrences of val have been removed. Time complexity: O(n²)
AI 资讯
Puppetlabs Modules Roundup – May 2026
This time around we look back at May 2026 and the 11 Puppetlabs module releases on the Forge, with an emphasis on the changes most likely to matter in active environments. Highlighted Updates New Windows audit policy module released! The new audit_policy module has been released by Perforce as a Ruby replacement for the generated DSC community auditpolicydsc module . This module uses Puppet Resources API for managing Windows audit policy using auditpol.exe ruby_task_helper Dependency Bound Update Five Bolt-adjacent modules all bumped the ruby_task_helper upper bound to < 2.0.0 in a coordinated maintenance pass, helping with dependency resolution failures when using Bolt 5.x. Affected modules: vault, terraform, http_request, gcloud_inventory, azure_inventory. CentOS 9 Support Multiple modules added explicit CentOS 9 compatibility, expanding the Linux platform coverage in line with the broader Puppet ecosystem push. Affected modules: concat, inifile. What Updates Happened to Puppetlabs Modules in May 2026? The following is an alphabetical listing of modules which received updates in May 2026. If a module had multiple versions released, the updates are collected together, numbered with the "latest" version available. apt 11.3.1 📅 Latest release: 2026-05-19 (🌐 View on the Forge ) This release introduced an explicit hash value syntax while also adding a param to support purging keyrings and other community contributions. Includes monthly releases: 11.3.1 (2026-05-19), 11.3.0 (2026-05-18). Use explicit hash value syntax instead of shorthand #1285 ( SugatD ) Add param for purging keyrings #1266 ( bwitt ) Include components when suite does not end with slash #1259 ( bwitt ) Bugfix - sources format and ensure => absent fails #1243 ( traylenator ) fix: allow plus signs in ppa #1222 ( moritz-makandra ) Fix and improve DEB822-style template #1212 ( smortex ) audit_policy 1.0.0 🌟 New Module: 2026-05-29 (🌐 View on the Forge ) This new module allows you to manage Windows audit pol
AI 资讯
Microsoft MAI-Thinking-1 & MAI-Code-1-Flash: Developer Guide to 7 New MAI Models
Microsoft launched seven new in-house AI models at Build 2026 on June 2, 2026, marking the company's most significant push yet to build its own frontier AI stack independent of OpenAI. The centerpiece is MAI-Thinking-1, Microsoft's first large-scale reasoning model, built from scratch on clean commercially licensed data using a sparse Mixture of Experts architecture. Alongside it: MAI-Code-1-Flash, a 5-billion-parameter coding model that outperforms Claude Haiku 4.5 by 16 percentage points on SWE-Bench Pro while using 60% fewer tokens on complex tasks. This is the complete developer guide to all seven MAI models, their specs, benchmarks, deployment paths, and what they mean for the AI development ecosystem. Why Seven Models at Once? The strategic context matters. For three years, Microsoft's AI product surface — GitHub Copilot, Azure AI, Bing Chat, Microsoft 365 Copilot — ran almost entirely on OpenAI models. The Build 2026 announcement is Microsoft's public declaration that it is building a parallel, proprietary model stack. Every new MAI model is trained from scratch using "clean and appropriately licensed data, without distillation from third-party models" — language that directly addresses the intellectual property concerns that have accompanied third-party model licensing. The distribution strategy is equally deliberate. Microsoft is not routing MAI models exclusively through Azure. MAI-Thinking-1 and MAI-Code-1-Flash are available via Fireworks AI, Baseten, and OpenRouter — three infrastructure providers that collectively reach developers who explicitly do not want cloud vendor lock-in. This signals a platform-first posture: Microsoft wants MAI to become a model ecosystem, not just an Azure feature. MAI-Thinking-1: The Reasoning Flagship MAI-Thinking-1 is Microsoft's answer to Claude Opus 4.x and GPT-5.5 on the reasoning side of the model spectrum. The architecture is a 35-billion-parameter active / approximately 1-trillion-parameter total sparse Mixture of Ex
AI 资讯
Uber caps employee AI spending after blowing through budget in 4 months
Uber's cutback has occurred after the company had reportedly encouraged staff to use AI as much as possible.
AI 资讯
CodeRabbit Review 2026: Specialist PR Review, the $24/Month Question, and Who Should Actually Pay For It
This article was originally published on aicoderscope.com Most AI coding tools are generalists—they write code, answer questions, and somewhere in the feature list, review pull requests. CodeRabbit is the opposite: one thing, done obsessively. Every feature, every design decision, every pricing tier revolves around making PR review better. After reviewing the pricing, benchmarks, and comparing it to GitHub Copilot's native code review, here's the honest assessment. What CodeRabbit actually is (and what it isn't) CodeRabbit sits between your developer's git push and the merge button. You connect it to your repository host—GitHub, GitLab, Azure DevOps, or Bitbucket—and it automatically reviews every pull request. No button to click. It reads the diff, checks it against your full codebase for context, runs 40+ static analysis tools, then uses a multi-model AI stack to flag bugs, security issues, and style violations directly in PR comments. What it cannot do: generate application code, scaffold features, or replace a coding assistant. It is review-only. That constraint shapes everything about the product. At $40M ARR as of April 2026 (up 700% year-over-year from $5M ARR in April 2025), with 2 million repositories connected and more than 13 million pull requests reviewed, CodeRabbit has clearly found a market. It currently holds the #1 position among AI apps on GitHub Marketplace. How the review actually works Every CodeRabbit review runs in three stages. Stage 1: Context engine. Before analyzing the diff, CodeRabbit indexes your codebase using a retrieval system similar to what backs its code reviews across millions of repositories. It uses NVIDIA Nemotron for this context-gathering and summarization stage—a lightweight open model optimized for retrieval rather than generation. This is why CodeRabbit catches cross-file issues that pure diff-reviewers miss. Stage 2: Static analysis. A deterministic SAST layer runs linters that don't need AI inference: Biome, ESLint, Ruf
AI 资讯
Leetcode 150 | Day 1: Merge Sorted Array - Naive vs. Optimized
There's been no shortage of debate lately about whether grinding Leetcode still makes sense in the age of AI. I think it does. AI is a powerful tool, but it was built by humans; which means it inherited our strengths, our blind spots, and our biases. Leaning on it entirely without understanding what's happening under the hood is a risk. A mentor once told me: those who refuse to use AI are not hireable. But neither are those who rely on it entirely. Learning deeply is how you stay on the right side of that line. This is my journey into just that - learning deeply. Day 1 Leetcode 88: Merge Sorted Array This is an interesting problem. You begin with 4 pieces of data — 2 arrays and 2 integers: nums1 : a sorted array whose length equals nums1.length + nums2.length . The first m elements are valid numbers; the remaining indexes hold 0 s as placeholders. nums2 : a sorted array containing only valid numbers, with a length of n . m : the count of valid numbers in nums1. n : the count of valid numbers in nums2. The objective is to merge both arrays into sorted order in place . Since nums1 is already sized to hold every valid element from both arrays, it's where the final sorted result will live. Approach 1: Naive (Splice + Sort) This solution is 2 lines of code. That's it. It's a testament to how much ES6 advanced JavaScript. nums1 . splice ( m , n , ... nums2 ); nums1 . sort (( a , b ) => a - b ); Here's how it works. We start by calling .splice() on nums1. While .splice() has many use cases, here's what each argument is doing in this context: m : the index where we start deleting elements. Since m is the count of valid numbers in nums1, starting at index m puts us right at the first placeholder 0 — exactly where we want to be. n : the number of elements to delete. Since n equals the length of nums2, we're deleting exactly as many placeholders as we have values to insert. ...nums2 : the values we want to insert in place of the deleted elements. The ... is the spread operato
AI 资讯
Three Targets I Set for My Engineering Team
A while back I set three targets for my engineering team. Not velocity. Not story points. Not "things shipped." Just three numbers. Together they tell me whether the work is moving the way it should, or whether next week is shaping up to be a fire-fighting week. I check two of them most days. The third I used to watch closely...until we lost the tool that measured it. Here they are, and why they earned their spot. Why these and not just velocity The first metric most engineering managers reach for is velocity. Story points completed, tickets closed, work merged. Velocity is worth watching. It is a lagging indicator...it tells you what already happened...but it still shapes what comes next. When a sprint's work doesn't get finished, it rolls into the following one, and that rollover eats into whatever you had planned. What velocity doesn't tell you is how the work moved...whether it moved in a way that's going to come back and bite you. For that you need numbers that describe the shape and quality of the work, not just the amount of it...ideally ones that flag a problem while there's still time to act. These three do that. 1. Average PR size Target: under 300 lines changed per PR. What it tells me: how well the team is decomposing work. A team consistently shipping oversized PRs isn't producing more... they're producing PRs that no reviewer can read carefully. Big PRs get rubber-stamped. Rubber-stamped PRs are where production bugs hide. The 300-line target isn't magic. It's roughly the size below which most reviewers will actually read every line. I tell my team to aim for under 300 changes and to treat 500 as a hard ceiling, give or take a handful of genuine exceptions. Past 500 changes, I consistently see quality, review time, and thoroughness all drop sharply...the PR stops getting read and starts getting skimmed. When the team's average creeps up over a few weeks, I have an early signal that one of three things is happening: Stories are too coarse. The work does
AI 资讯
AI is blowing up music. How should the Grammys handle it?
Today I’m talking with Harvey Mason Jr., who is CEO of the Recording Academy — that’s the outfit that puts on the Grammy Awards. I last talked to Harvey in 2024, when it was obvious that generative AI would upend the music industry, but still not exactly clear how that would happen. Well, it’s been […]
AI 资讯
Testing Discipline: A Beginner's Guide
Image by upklyak on Magnific Run an application. Click a few buttons. If the terminal doesn't have errors, then everything is working. Right? What's the point of writing tests if all seems to be fine. Let's explore testing discipline and why it's a habit every developer should build early. What is Testing Discipline? Testing discipline is the habit of verifying that your code works. It's not something you do at the end of a project. It's something you build into your development process. The goal is simple. Catch bugs as early as possible. A bug found while writing code usually takes minutes to fix. The same bug found in production can take hours to investigate, reproduce, and resolve. The earlier you find problems, the less expensive they become. Different Types of Tests When people talk about testing, they're usually referring to three categories. The first is unit testing . A unit test checks a single piece of functionality, usually a function or method. These tests are fast and easy to write, making them the best place for beginners to start. Next are integration tests . These verify that different parts of your application work together correctly. For example, does your service communicate properly with the database? Finally, there are end-to-end tests . These simulate a real user interacting with the application from start to finish. They provide the most realistic results but are usually slower and more complex. As a beginner, I recommend that you should focus on unit tests first. Different Testing Approaches As you continue learning, you'll come across different testing methodologies. One of the most popular is Test-Driven Development , often called TDD. The idea is simple. Write the test first. Watch it fail. Write enough code to make it pass. Many developers like this approach because it forces them to think about requirements before writing implementation details. You may also hear about Behaviour-Driven Development , or BDD. This approach focuses on desc
AI 资讯
#javascript #webdev #beginners #codenewbie
Hello Dev Community! 👋 It is officially Day 8 of my journey to master the MERN stack! After spending the first week structuring with HTML and styling with CSS, today I finally started learning the core language of web logic: JavaScript . Moving from static designs to actual programming logic feels like unlocking a whole new level of web development. 🧠 Key Learnings From Day 8 Today was all about setting up the foundation in JavaScript and understanding how code runs in the browser. Here is what I covered: 1. The Browser Console & Execution I learned that every browser has a built-in environment to run JavaScript. Writing my very first console.log("Hello World"); and seeing it print in the developer tools console was the perfect start. 2. Variables: Storing Data Safely I learned how to store information using variables and the crucial differences between modern variable declarations: let : For values that can change later in the program (mutable). const : For values that must remain constant and cannot be reassigned (immutable). Note: I also read about var , but learned why modern JavaScript avoids it due to scoping issues. 3. Data Types Fundamentals Data needs a type so the computer knows how to handle it. Today I practiced with: Strings: Plain text enclosed in quotes (e.g., "MERN Stack" ). Numbers: Integers and decimals without quotes (e.g., 2026 ). Booleans: Simple true or false states (e.g., isLearning = true ). 🛠️ What I Actually Code / Experimented With Since I am just starting with core logic, I didn't write code directly into my HTML webpage layout today. Instead, I created a script.js file, linked it to my project, and built a basic script in the console that: Stores a user's name and learning status in variables. Dynamically calculates values (like years left until a milestone). Outputs formatted statements into the browser console. It is simple, but understanding how data moves in the background is incredibly exciting. 🎯 My Goal for Tomorrow (Day 9) Tomorr
AI 资讯
Server-Side Rendering vs Client-Side Rendering: What Developers Should Know
As the web has evolved, so have the strategies for rendering content in browsers. Two of the most widely used approaches today are Server-Side Rendering (SSR) and Client-Side Rendering (CSR). Each has its strengths and trade-offs, and understanding when to use one over the other is key to building fast, scalable, and user-friendly applications. This article explores the key differences, benefits, and common use cases of SSR and CSR, with practical examples. What is Client-Side Rendering (CSR)? Client-Side Rendering means that the browser downloads a minimal HTML shell and renders the content using JavaScript. Most of the work, fetching data, templating, and updating the DOM, happens in the user's browser after the page loads. Benefits Rich interactivity: Ideal for dynamic single-page applications (SPAs). Fast navigation after initial load: Once loaded, switching between views is instantaneous. Great for app-like experiences: Think dashboards, SaaS tools, or email clients. Drawbacks Slower initial page load: The user sees a blank screen until JavaScript loads and executes. SEO challenges: Search engines may struggle to index dynamic content, unless SSR or prerendering is used. Poor performance on slow devices: All rendering logic happens in the browser. What is Server-Side Rendering (SSR)? Server-Side Rendering generates the full HTML on the server for each request. When a user visits a page, the server fetches the data, compiles the HTML, and sends it to the browser, which then hydrates the app into an interactive component. Benefits of SSR: Fast time-to-first-byte (TTFB): HTML is ready and shows up immediately. Better SEO: Search engines receive fully rendered pages. Good for public-facing content: Blogs, marketing sites, e-commerce pages. Drawbacks Increased server load: Every page request triggers rendering logic. Longer time to interactivity: HTML loads quickly, but hydration takes extra time. Requires server infrastructure: Cannot be purely deployed as static f
AI 资讯
5 Anthropic Prompt Caching Patterns That Cut My API Bill 70%
System-prompt caching alone cut repeat-call costs by half Tool definitions cache separately, perfect for agent loops Conversation history caching pays off after turn three 1-hour TTL beats the default 5 minutes for batch jobs My Anthropic API bill dropped 70 percent last month and I did not change a single model. I changed where the cache breakpoints went. Here are the five patterns I now use on every Claude integration I ship. Pattern 1: Cache The System Prompt First The system prompt is the cheapest win and most people skip it. My agents run with a 4,000 token system prompt that explains the role, the output format, the safety rules, and a few examples. That prompt never changes inside a session. Before caching, I paid full input price for those 4,000 tokens on every single call. With an agent that loops 30 times to finish a task, that is 120,000 tokens of pure repetition. The fix is one parameter. I add a cache_control block with type: "ephemeral" to the last content item in the system prompt array. The first call writes the cache and costs slightly more (cache writes carry a small premium). Every call after that reads the cache at roughly one tenth the input price. Here is the rule I follow: the cached block has to be at least 1,024 tokens for Claude Sonnet, or it gets ignored silently. My 4,000 token prompt clears that easily. If your system prompt is short, this pattern does nothing, so do not bother adding the breakpoint to a 200 token instruction. The order matters more than people expect. The cache works as a prefix. Everything before the breakpoint gets stored. Everything after it is read fresh. So I put the stable stuff (role, rules, examples) up top and the volatile stuff (user query, current date) down below the breakpoint. Reorder this wrong and your cache hit rate collapses because the prefix changes on every call. One real number from my logs: a document-classification job that runs 2,000 times a day. The system prompt is 3,800 tokens. Caching it sav
AI 资讯
Ultracode for Codex: Claude-style Dynamic Workflows with a Skill
Claude Code added Dynamic Workflows. Dynamic Workflows are a way to run larger coding tasks as a...
AI 资讯
Arazzo Visualizer: Run API Workflows in VS Code
Most apps don't just call one API endpoint. They call a whole chain of them. For example, you might log in, get a token, and then pass that token to another service. Tracking these multi-step chains can get messy quickly. To help fix this, the OpenAPI Initiative created the Arazzo Specification . It gives us a standard way to link different endpoints into clear workflows. But writing these workflow files by hand in a regular text editor is tough. It is very easy to lose track of how data moves from one step to the next. That is why I built Arazzo Visualizer for VS Code. It is a free, open-source extension that makes the Arazzo spec visual and easy to use. Live Interactive Graphs The extension reads your workflow files and turns them into interactive maps on the fly. See Data Flow: Look at exactly how data moves between steps. Catch Errors Early: Spot broken paths before you even run your code. Clean Layouts: Navigate large workflows without getting lost in thousands of lines of text. Built-In Workflow Runner Seeing the map is great, but testing it is even better. The tool has a step-by-step runner built right into your editor. Run a single step or execute the whole chain. See real-time data payloads and HTTP headers. Watch requests happen live to pinpoint bugs fast. Give it a Try The project is fully open source, and you can grab it or check out the code using the links below: Download: Install it directly from the VS Code Marketplace . Source Code: Check out the repository, report bugs, or contribute on GitHub . Deep Dive: Read my full technical breakdown and design on Medium . If you are working with API chains, I would love for you to try it out. Drop your feedback in the comments below! Note: Arazzo v1.1.0 is out with official AsyncAPI support. I am currently updating the VS Code extension to support these new features. Stay tuned for future updates!
AI 资讯
Opus 4.8 ships Dynamic Workflows — hundreds of parallel subagents per session. Read this before you wire it into prod.
Opus 4.8 ships Dynamic Workflows — hundreds of parallel subagents per session. Read this before you wire it into prod. Anthropic's Opus 4.8 announcement on May 28 spent most of its word count on benchmarks. CursorBench up. Terminal-Bench 2.1 beats GPT-5.5. OSWorld-Verified at 82.3%. Online-Mind2Web at 84%. The legal-agent benchmark broke 10% on all-pass for the first time. Those are the numbers the headline writers grabbed. Buried under the benchmark table is the line that actually changes how you ship agents: Dynamic Workflows. Run hundreds of parallel subagents. Handle codebase-scale migrations spanning hundreds of thousands of lines. That is not a benchmark. That is a new programming model. And it is shipping as a preview, which means the defaults are not what they will be in 90 days. If you are running agents in production and you do not pin your config before the next minor release, your bill is going to surprise you. Here is what the preview actually does. Three tasks it eats alive. One class of work where it loses you money. And the exact config to pin before the dynamic-workflow defaults move under you. What Dynamic Workflows actually changed Before 4.8, parallel subagents on the Anthropic stack meant one of two things. Either you called the Agent tool from inside Claude Code and got a fixed number of side-task subagents — usually capped somewhere around four or eight concurrent. Or you wrote your own orchestrator in TypeScript or Python, called the Messages API in a Promise.all , and handled the queueing yourself. The Agent path was ergonomic but capped. The DIY path was uncapped but the orchestration was your problem — retries, structured output validation, cache invalidation, all of it. Dynamic Workflows in 4.8 collapses both. You write a script — JavaScript, not a separate orchestrator binary — that calls agent() , parallel() , pipeline() , and phase() as primitives. The runtime handles concurrency, structured output validation against JSON Schema, retri
AI 资讯
Claude Code's workflow docs are a menu.
Here is what a real solo founder orders. $ git worktree list ~/app a1b2c3d [ main] ~/app-review e4f5g6h [ review-branch] ~/app-content i7j8k9l [ draft-post] Three checkouts. One machine. Each one runs its own Claude Code session that cannot touch the others. That is a normal workday for me. I run a one person shop. Content and code, same desk, same hour. Anthropic's common workflows page lists about a dozen recipes for everyday work, and the docs are strong. What they do not tell you is which recipes survive contact with a real workday and which ones stay theory. After running Claude Code as my whole operation, five workflows carry the load. Here is the honest split. https://code.claude.com/docs/en/common-workflows 1. Worktrees changed how I work The problem worktrees solve is collision. You ask Claude to fix a bug. While it edits, you want to keep building a feature. Same repo, two streams of edits, and now your working tree is a fight nobody wins. A git worktree is a second checkout of the same repo on its own branch. Claude runs inside it and never sees the other windows. claude --worktree feature-auth Real scenario from this week. The post you are reading was drafted in one worktree while a separate Claude session reviewed an open pull request in another. Neither touched the other's files. When the review finished I merged, came back to the draft, and never lost my place. If you take one workflow from the docs, take this one. The setup cost is close to nothing and parallel agents stop stepping on each other. 2. Subagents protect the one resource you cannot buy more of The model's working memory is your budget. Every file Claude reads to answer a question spends it. Ask "how does our auth refresh work" in a large repo and Claude reads a pile of files to answer. Those files now sit in the window for the rest of the session, crowding out the work you care about. Delegate that to a subagent. use a subagent to investigate how our auth system handles token refresh The
AI 资讯
2487. Remove Nodes From Linked List
In this post i'm gone explain liked list an famous leetcode problem that is " Remove Nodes from linked list ". Problem Statement: You are given the head of a linked list. Remove every node which has a node with a greater value anywhere to the right side of it. Return the head of the modified linked list. Example 1: Input: head = [5,2,13,3,8] Output: [13,8] Explanation: The nodes that should be removed are 5, 2 and 3. Node 13 is to the right of node 5. Node 13 is to the right of node 2. Node 8 is to the right of node 3. Explanation: In this problem statement state that remove the nodes which have the right side (any place) element greater than. let's understand with given example. Node 13 is the right side of the 5,2 nodes thats why 2,5 should be remove. Node 8 is the right side of 3 node thats why 3 should be remove. final result would be [13,8] Solution of the problem: `/** * Definition for singly-linked list. * function ListNode(val, next) { * this.val = (val===undefined ? 0 : val) * this.next = (next===undefined ? null : next) * } */ /** * @param {ListNode} head * @return {ListNode} */ const reverList = function(head){ let prev = null; let curr = head; let next = null; while(curr!=null){ next = curr.next; curr.next = prev; prev = curr; curr = next; } return prev; } var removeNodes = function(head) { // reverse list let reversList = reverList(head); let maxNode = reversList; let prevNode = reversList; let currNode = reversList.next; // removed list while(currNode != null){ if(maxNode.val > currNode.val){ currNode = currNode.next; }else{ maxNode = currNode; prevNode.next = currNode; prevNode = prevNode.next; currNode = currNode.next; } } prevNode.next = null; // reverse list return reverList(reversList); };` If you have any query or suggestions leave your expression👨🏿💻🙌.
AI 资讯
Are Claude skills safe in 2026? What the Snyk ToxicSkills audit actually found
{/* JSON-LD schema is generated server-side in app/blog/[slug]/page.tsx , do not re-add an inline block here, it crashes<br> MDX's Acorn parser on the leading <code>{</code>. */}</p> <h2> <a name="tldr" href="#tldr" class="anchor"> </a> TL;DR </h2> <p>In February 2026, Snyk published the <a href="https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/">ToxicSkills audit</a>, the first large-scale security review of the public Claude Code skills ecosystem. It scanned 3,984 skills from ClawHub and skills.sh. Findings:</p> <ul> <li><strong>13.4%</strong> contained critical-level issues</li> <li><strong>36%</strong> carried prompt-injection payloads</li> <li><strong>1,467</strong> distinct malicious payloads</li> <li><strong>91%</strong> of confirmed malware combined natural-language jailbreaks with executable shell payloads</li> </ul> <p>If you install a Claude Code skill today without reading its source, the probability that it can read your env vars, exfiltrate <code>~/.ssh/</code>, or chain a bash pipeline that bypasses your deny rules is real and measurable. This post is the cheat sheet for evaluating a skill before you install it. The CTA at the bottom is <a href="https://dev.to/skillvault">SkillVault</a>, the bundle we ship for teams who want this work already done.</p> <h2> <a name="why-the-question-is-suddenly-loadbearing" href="#why-the-question-is-suddenly-loadbearing" class="anchor"> </a> Why the question is suddenly load-bearing </h2> <p>Claude Code skills shipped as an open spec in December 2025. By March 2026, MCP downloads were tracking at 97 million per month, and the most-installed marketplace skill had passed 564,000 installs. <a href="https://venturebeat.com/security/claude-code-512000-line-source-leak-attack-paths-audit-security-leaders">Anthropic's source leak</a> on March 31, 2026 made the abstract attack surface visceral: the <code>bashSecurity.ts</code> module has 23 numbered security checks, suggesting each was a real incide
开发者
The Unlikely Journey from Bricks to Bytes
I'm a builder. I taught myself to run servers because freelancers kept burning my money. West London, 2021. I was standing on a site holding a cup of tea that had gone cold an hour earlier, watching a crew argue about where a wall should go. That's my actual job. Schedules, suppliers, the kind of problems that only exist at 7am when half the crew hasn't shown up and the client is already phoning. But my head was somewhere else. I'd been chewing on an idea for a classifieds platform for months. Not a grand vision, nothing with a business plan and projections. Just a gap I could see — a way to connect buyers and sellers that felt easier and more global than what was out there. The problem was that I knew nothing about programming. And I mean nothing. I didn't know what a database was. I'd never written a line of code. My entire technical CV was "reasonably good at not breaking my own phone." So I did what most people in my position do. I tried to buy my way in. The expensive year I found a ready-made classifieds script online. Looked professional, had features, didn't cost the earth. The smart shortcut, I told myself. Then I hired a freelancer to customise it. Then another one, when the first disappeared mid-project. Then another, when the second delivered something that worked on a good day and fell over on a bad one. Here's the thing nobody warns you about hiring freelancers when you can't read code: you can't judge the work. You can't tell the difference between someone who wrote something clean and someone who duct-taped it together to last until the invoice clears. Both show you the same thing — a screen where the button does what the button's meant to do. So you pay, you say thanks, you move on. And three months later the button stops working and the freelancer's gone. Meanwhile the bots had found me. Within weeks of going live, automated scripts were hammering the contact form, then the registration page, then the login. "It's normal," a freelancer told me. "Ha
AI 资讯
Making Codex CLI and Codex.app Use mise-managed Ruby and Node.js
I mostly use Claude Code, but lately I've been using Codex CLI and Codex.app (hereafter "Codex") more often too. My environment is macOS. However, after I started using mise in [2026-03-29-1] , I ran into trouble because Codex wouldn't use the mise-managed Ruby, Node.js, and so on. Here's the state I was in: $ where ruby /usr/bin/ruby $ ruby --version ruby 2.6.10p210 (2022-04-12 revision 67958) [universal.arm64e-darwin25] The Solution I solved it by adding the following to ~/.zshenv : # When Codex CLI and Codex.app run commands, .zshrc's mise activate zsh doesn't take effect, # so add mise shims to PATH. if [ -n " $CODEX_SANDBOX " ] ; then PATH = ${ XDG_DATA_HOME } /mise/shims: $PATH fi Here's the state inside Codex after the change: $ where ruby /Users/masutaka/.local/share/mise/shims/ruby /usr/bin/ruby $ ruby --version ruby 4.0.5 (2026-05-20 revision 64336ffd0e) +PRISM [arm64-darwin25] Codex's Command Execution Environment Is a Sandbox I'd vaguely suspected this for a while, but it seems Codex's command execution environment runs inside a sandbox. You can spot the clues from within Codex: $ env | grep CODEX CODEX_CI=1 CODEX_SANDBOX=seatbelt CODEX_THREAD_ID=019e7806-6025-7c13-a3c6-a70d41c13905 "seatbelt" refers to Apple Seatbelt, which appears to be macOS's sandboxing mechanism. 🔗 macOSで手軽にSandbox環境を構築できるApple Seatbeltの実践ガイド しかしながら、Apple Seatbeltは公式にドキュメントを公開されておらず、非推奨とされています。一方で実際には多くのアプリケーションやツールで使用されています。 (English translation) However, Apple Seatbelt has no officially published documentation and is considered deprecated. Yet in practice, it's used by many applications and tools. I see... According to this article, Claude Code also adopts Apple Seatbelt, and I confirmed that it can be enabled with /sandbox (see the official documentation ). Coming from a background of being used to Claude Code, Codex's sandbox is hard to wrap my head around, but the following article covers it in detail. Much appreciated. 🔗 [Codex] sandbox実行の仕組みと設定方法を完全に理解する Codex also seems to r